Additional opportunities to prevent email abuse through domain matching?

jerrybell

Well-Known Member
Nov 27, 2006
90
0
156
Hello,

I've had an unfortunate string recently with email accounts being hijacked by spammers and used to relay spam through my server. I don't know if the spammers are getting the email through malware on the PC of the account owner, sniffing wifi connections, or offering chocolate bars to the users, but it's happened 3 times in about 6 months.

In any event, I noticed that in each case the spammers are using a completely fake from address - usually @aol.com or some other big name domain.

It seems to me that I should not be allowing email to be sent through my server where the domain in the from address is not a local domain or some domain that I explicitly allow. Is there an option to enable this kind of restriction?

It would be even nicer if I had the option to limit authenticated senders to only sending from the address they authenticated with. So, if I auth with the name "[email protected]", I can only send email where my from address is "jerr[email protected]". Is there a reasonable way to do this?

Thanks much!

Jerry
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

You may find the following option in "WHM Home » Service Configuration » Exim Configuration Manager" under the "Mail" tab useful:

"EXPERIMENTAL: Rewrite From: header to match actual sender"

Per it's description:

"If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected."

Thank you.
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
959
76
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
I didn't test this, but theoretically you can add this to the ACL section of exim.conf (WHM -> Exim Configuration Manager -> Advanced)

Code:
acl_check_sender: 
   accept authenticated = * 
   deny !sender_domains = +local_domains

This would basically make sure the sender is a local domain on the server, but will not go as far as matching the email addresses.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
This would basically make sure the sender is a local domain on the server, but will not go as far as matching the email addresses.
Vanessa - that's really useful. Is there a way to provide a specific message? I'd like to track a resulting log message and use that to disable that SMTP user as they've obviously been hacked.
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
959
76
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
Vanessa - that's really useful. Is there a way to provide a specific message? I'd like to track a resulting log message and use that to disable that SMTP user as they've obviously been hacked.
This might work (again, didn't test. I'm sorta lazy):

Code:
acl_check_sender: 
   accept authenticated = * 
   deny !sender_domains = +local_domains
   log_message = "Sender domain does not match authenticated domain."
   message = "Sender domain does not match authenticated domain."
 

Dayneuske

Registered
Apr 26, 2014
2
0
1
cPanel Access Level
Root Administrator
I am having the same issue as OP and would love to implement the fix proposed by vanessa.

However, I am not able to find the "acl_check_sender:" section of the advanced exim configuration manager. Doing a search for the setting has not helped any either.

Can you tell me if this is a custom acl that needs to be added or if my version of the advanced exim configuration manager is messed up?

If there is documentation on this setting can you provide the link and let me know the search terms used to find it? (Always looking to improve me search skills)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
There is more discussion of that ACL here which you may find useful:

acl_deny_sender

Thank you.